Privacy Policy
الإصدار 0.1 · سارٍ 2 يونيو 2026
How Dubai collects, uses, shares, and protects personal data under the UAE Personal Data Protection Law.
1. Identity of the Controller
Dubai Marketplace FZ-LLC ("we", "us", "our"), incorporated in the United Arab Emirates with offices in Business Bay, Dubai, is the data controller for personal data processed via the Dubai platform ("the Service").
Contact: privacy@example.com · Postal: Business Bay, Dubai, UAE.
2. Data Protection Officer (DPO)
Pursuant to Article 10 of Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the "PDPL"), we have appointed a Data Protection Officer who is responsible for overseeing compliance with the PDPL and this policy. Our DPO can be reached at: dpo@example.com.
If you have questions about how we handle your personal data, concerns about a possible breach of applicable data-protection law, or wish to exercise any of the rights described in Section 8, you are welcome to contact the DPO directly.
3. Personal Data We Collect
We collect and process personal data in three broad categories depending on how you interact with the Service.
(a) Data you provide directly:
- Account registration: full name, email address, phone number, profile photograph, preferred language and locale.
- Listings: property titles, descriptions, photographs, prices, addresses, floor plans, and contact preferences you choose to publish.
- Communications: messages you send through the in-platform messaging system, attachments, and metadata associated with those messages.
- Video and voice calls: call audio and video streams are processed in real time for translation and meeting functionality. Audio and video are not stored by default after a call ends (see Section 7 for retention details).
- Identity and professional verification: trade licence, RERA registration certificate, Emirates ID copy or equivalent identity document, submitted during broker or agency onboarding.
- Financial and billing data: wallet top-up instructions and billing-related correspondence. Card numbers and payment-instrument details are handled exclusively by our PCI-DSS-compliant payment processors; we receive only transaction metadata (amount, timestamp, masked card suffix, status).
(b) Data generated automatically by your use of the Service:
- Device and browser signals: IP address, browser type and version, operating system, screen resolution, preferred language, and referring URL.
- Behavioural data: pages visited, search queries entered, listings viewed or saved as favourites, filters applied, time on page, click events, and scroll depth.
- Communication metadata: timestamps of messages and calls, call durations, and identifiers of the parties involved.
- Performance and error data: application logs, crash reports, and latency measurements used to operate and improve the Service.
(c) Data received from third parties:
- Authentication providers: if you register or log in using a Google or Apple account, we receive the name, email address, and profile photo your provider shares with us, in accordance with your settings on that provider.
- Public business registries and licensing databases: we cross-check broker and agency details against publicly available or officially provided registries (e.g., RERA's broker database) to verify professional credentials.
- Fraud and risk intelligence vendors: we receive risk signals from specialist providers to help detect fraudulent listings, accounts, and transactions.
- Referral partners: if you arrive at Dubai through a partner referral link, we may receive the referral identifier from that partner.
4. Purposes and Legal Bases
We process personal data only for specific, explicit, and legitimate purposes. For each purpose we identify the legal basis under Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the "PDPL"), primarily Article 5 thereof.
| Purpose | Legal basis |
|---|---|
| Create and maintain your account | Performance of contract (Art. 5(b)) |
| Display listings and facilitate property inquiries | Performance of contract (Art. 5(b)) |
| Process payments and issue invoices | Performance of contract; legal obligation for tax and accounting (Art. 5(b) & (c)) |
| Deliver in-platform messaging and notifications | Performance of contract (Art. 5(b)) |
| Facilitate video/voice calls with real-time translation | Performance of contract + consent for translation processing (Art. 5(a) & (b)) |
| Verify broker and agency credentials | Performance of contract; legal obligation (AML compliance) (Art. 5(b) & (c)) |
| Detect, investigate, and prevent fraud and abuse | Legitimate interests — protecting users and the platform (Art. 5(d)) |
| Improve and personalise the Service (analytics, ML ranking) | Legitimate interests + consent for non-essential cookies (Art. 5(a) & (d)) |
| Send marketing communications and newsletters | Consent (Art. 5(a)), revocable at any time |
| Comply with court orders, regulator requests, legal process | Legal obligation (Art. 5(c)) |
| Enforce our Terms of Service | Legitimate interests (Art. 5(d)) |
| Safety and security monitoring | Legitimate interests (Art. 5(d)) |
Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests do not override your rights and freedoms. You may request a copy of that assessment by contacting privacy@example.com.
Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Withdrawal of consent does not affect processing carried out under other legal bases.
5. Sharing of Personal Data
We do not sell, rent, or trade your personal data to third parties for their own commercial purposes.
We share personal data only in the following circumstances:
Subprocessors. We engage carefully selected service providers who process data on our behalf and under our instructions. Our current subprocessor list is maintained at https://example.com/trust/subprocessors. Categories of subprocessors include:
- Cloud infrastructure and hosting (Hetzner Online GmbH, Germany)
- Video and voice call infrastructure (Daily.co, United States)
- Real-time AI translation (OpenAI, United States)
- Transactional email and notification delivery
- Content delivery network (CDN) and DDoS/security services
- Error monitoring and performance observability
- Payment processing
All subprocessors are bound by data-processing agreements that impose confidentiality and security obligations at least as protective as those we commit to you.
Other users of the platform. Information you publish as part of a listing or public profile (such as your name, photograph, agency affiliation, and listing details) is visible to other registered and guest users in accordance with your privacy settings. Private messages remain visible only to the participants in that conversation.
Authorities and law enforcement. We may disclose personal data when required to do so by applicable UAE law, by valid order of a court of competent jurisdiction, or by a legitimate request from a UAE government authority, regulator, or law-enforcement body. Where permitted by law, we will endeavour to notify you before disclosing your data so that you may seek appropriate relief.
Corporate transactions. In the event of a merger, acquisition, restructuring, asset sale, or similar transaction involving Dubai, personal data may be transferred to the acquiring or successor entity. Any such transfer will be subject to commitments of equivalent data protection, and we will notify you via the Service or email before your data becomes subject to a different privacy policy.
With your consent. We may share data with third parties not listed above where you have given us your explicit, specific, and informed consent to do so.
6. International Transfers
The Dubai platform is operated from the UAE. However, some of our subprocessors are located or process data in jurisdictions outside the UAE, including the European Union, the United Kingdom, and the United States.
Where we transfer personal data outside the UAE, we do so under one or more of the following safeguards:
- Adequacy determination: the recipient country has been recognised by the UAE Data Office as providing an adequate level of protection.
- Contractual safeguards: we execute Standard Contractual Clauses or equivalent contractual instruments approved or recognised by the UAE Data Office.
- Pseudonymisation and minimisation: where technically feasible, we pseudonymise or minimise data before cross-border transfer to reduce risk to data subjects.
- Explicit consent: for certain specific transfers, we rely on your express consent after informing you of the risks.
For transfers to the United States — in particular to OpenAI for real-time voice translation — we rely on contractual safeguards and apply pseudonymisation of call metadata where feasible. We do not transfer raw audio to OpenAI beyond the streaming window required for real-time processing.
You may request further information about the specific safeguards applicable to any particular transfer by contacting privacy@example.com.
7. Retention
We retain personal data for no longer than is necessary for the purpose for which it was collected, or as required by applicable UAE law.
| Data category | Retention period |
|---|---|
| Account and profile data | Duration of active account + 30 days after account closure |
| Listing data | Duration of listing + 12 months after expiry or removal |
| In-platform messages | 36 months from the date of the last message in a conversation |
| Wallet and billing records | 7 years (UAE VAT law and accounting requirements) |
| Verification documents (trade licence, ID) | 7 years (AML and regulatory compliance) |
| Audit and access logs | 24 months |
| Video call audio and video | Not stored — live only; discarded when call ends |
| AI translation transcripts | Discarded at end of call; not persisted to database |
| Consent records | 5 years from date of withdrawal or last relevant interaction |
| Fraud and security investigation records | Until resolution of the investigation + applicable limitation period |
Retention periods may be extended where personal data is the subject of an active legal hold, court order, or regulatory investigation. When a retention period expires, data is securely deleted or anonymised so that it can no longer be attributed to an identified or identifiable individual.
8. Your Rights
Under the PDPL, you have the following rights in relation to personal data we hold about you:
- Right of access (Art. 13): you may request confirmation of whether we process personal data about you, and if so, a copy of that data together with information about how we use it.
- Right to correction (Art. 14): you may request that we correct any inaccurate or incomplete personal data without undue delay.
- Right to erasure (Art. 15): you may request deletion of your personal data where it is no longer needed for the purposes for which it was collected, where you have withdrawn consent and no other legal basis applies, or where processing is unlawful. This right is subject to our legal and contractual retention obligations.
- Right to restriction of processing (Art. 16): you may request that we restrict processing of your personal data in certain circumstances, for example while the accuracy of data you have contested is being verified.
- Right to data portability (Art. 17): where processing is based on your consent or a contract and carried out by automated means, you may receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
- Right to object (Art. 18): you may object to processing of your personal data where we rely on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your rights, or processing is necessary for the establishment, exercise, or defence of legal claims.
- Right to withdraw consent: where we rely on consent as a legal basis, you may withdraw that consent at any time via your account privacy settings or by emailing privacy@example.com. Withdrawal does not affect the lawfulness of processing before withdrawal.
- Right to object to automated decision-making (Art. 19): see Section 12 below.
- Right to lodge a complaint: if you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (dataoffice.gov.ae).
How to exercise your rights. Submit your request to privacy@example.com or via the privacy request form in your account settings. We will acknowledge your request within 5 business days and respond substantively within 30 calendar days. If we need additional time due to the complexity or volume of requests, we will notify you within the initial 30-day period.
We may ask you to verify your identity before we process your request, in order to protect the security of your data.
9. Cookies and Similar Technologies
We use cookies, pixel tags, local storage, and similar tracking technologies on our website and within the application.
Cookies we deploy fall into three functional categories:
- Essential cookies: strictly necessary to operate the Service — authentication sessions, security tokens, load-balancing. These cannot be disabled without breaking core functionality.
- Analytics cookies: help us understand how users interact with the platform so we can improve it (e.g., page-view statistics, funnel analysis). We use only cookieless or consented analytics where feasible.
- Marketing cookies: used to measure advertising effectiveness and, where permitted, serve relevant property or investment advertisements on third-party platforms.
On your first visit, a cookie consent banner will invite you to accept or customise non-essential categories. You may update your preferences at any time from Settings → Privacy → Cookie preferences (/account/privacy). Full details of individual cookies — including name, provider, purpose, and expiry — are set out in our Cookie Policy (/policies/cookie).
Please note that disabling certain analytics or marketing cookies does not prevent us from collecting device data that is strictly necessary for security and fraud prevention.
10. Children
The Service is directed at adults and is not intended for use by individuals under the age of 18. We do not knowingly collect or solicit personal data from minors. If we become aware that we have inadvertently collected personal data from a person under 18 without verifiable parental or guardian consent, we will take prompt steps to delete that data.
If you are a parent or guardian and believe that your child has provided personal data to us, please contact privacy@example.com. We will investigate and, where confirmed, delete the data without undue delay.
11. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Our security programme includes, but is not limited to:
- Transport Layer Security (TLS 1.2 or higher) for all data in transit.
- Encryption at rest for databases and file storage using AES-256 or equivalent.
- Role-based access control (RBAC) ensuring staff access only data they need for their role.
- Multi-factor authentication for all internal administrative systems.
- Comprehensive audit logging of access to sensitive data categories.
- Regular automated dependency scanning and timely application of security patches.
- Annual penetration testing by an independent security firm.
- A documented Incident Response Plan that is tested periodically.
No information system can guarantee absolute security. In the event of a personal-data breach that is likely to result in risk to your rights and freedoms, we will notify you and the UAE Data Office within 72 hours of becoming aware of the breach, as required by Article 22 of the PDPL. Our notification will describe the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or propose to take to address it.
If you discover or suspect a security vulnerability, please report it responsibly to security@example.com.
12. Automated Decision-Making and Profiling
We use automated systems for a number of operational and product purposes, including:
- Fraud detection: automated scoring of account and listing signals to identify potentially fraudulent activity.
- Listing ranking and search relevance: algorithmic ranking that determines the order in which listings appear in search results and recommendation feeds.
- Content moderation: automated screening of listing images and text against prohibited-content policies.
In cases where a fully automated decision produces a legal or similarly significant effect on you — for example, account suspension based solely on automated fraud scoring — you have the right under PDPL Article 19 to request human review of that decision. To exercise this right, contact privacy@example.com with the subject line "Human Review Request" and a description of the decision you are contesting. We will respond within 30 days.
We will not use your personal data for fully automated profiling that produces significant effects based on sensitive categories of data (such as health, religious beliefs, or political opinions) without your explicit consent.
13. Updates to this Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. When we make material changes, we will:
- Publish the updated policy at /privacy with a revised effective date.
- Display a notice within the application to logged-in users.
- Send an email notification to the address associated with your account.
We will provide at least 14 days' notice before material changes take effect. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the revised policy. If you do not agree with the changes, you should stop using the Service and may close your account.
Minor changes (such as typographical corrections or clarifications that do not affect your rights) will take effect immediately and will not trigger a separate notification.
14. Contact
If you have any questions, concerns, or requests relating to this Privacy Policy or our data-protection practices, you may contact us through any of the following channels:
- General privacy enquiries: privacy@example.com
- Data Protection Officer: dpo@example.com
- Postal address: Dubai Marketplace FZ-LLC, Business Bay, Dubai, United Arab Emirates
- UAE Data Office (supervisory authority): dataoffice.gov.ae
We are committed to working with you to resolve any concern about your privacy. If you feel that your concern has not been adequately addressed after contacting us, you have the right to escalate to the UAE Data Office.
This document is a draft for internal review and does not constitute legal advice. It must be reviewed and approved by qualified UAE legal counsel before publication. Version 0.1 — effective 2 June 2026.